Windows NT 4.0 Wins C2 Certification

On December 6, Microsoft announced that Windows NT 4.0 has qualified for the US Government’s C2 security certification. NT 4.0 received both Orange Book C2-level evaluation and FIPS 140-1 validation of the cryptographic services that the Windows 95, Windows 98, Windows NT 4.0, and Windows 2000 (Win2K) OSs provide. Microsoft’s press release described the C2 rating as “generally acknowledged to be the highest rating that a general-purpose operating system can achieve.” The effect of this announcement is that Microsoft can now sell NT 4.0 into large high-security networks. Government networks, military contractors, and the financial community are among the potential customers that require a C2 rating.The process by which an OS achieves a C2 rating involves an evaluation team appraising the OS’s design process and system architecture, and reviewing the original source code in detail. The evaluation team scrutinizes the whole development process, including how the company designs, develops, and tests software. The appraisal also looks at how the company handles security breaches.C2 certification isn’t the most secure standard that the National Security Agency (NSA) gives for an OS; other ratings, such as B1 certification, are even more stringent in their requirements. However, attaining B1 certification is expensive, time-consuming, and requires substantial security expertise to satisfy the testing. In addition, the market for B1 software is small when compared to C2 software. The FIPS 140-1 standard is a joint US and Canadian government certification that verifies correct implementation of the OS’s cryptographic algorithms. Typically, cryptographic algorithms are based on published standards that interoperate among heterogeneous platforms. This certification tells potential customers that they can be confident in NT’s ability to interoperate in secure transmissions and communications.It’s ironic that the announcement came just 2 weeks before Win2K’s release to manufacturing (RTM), but C2 certification is a long process that the NSA’s Computer Security Center (NCSC) runs. NT 4.0 began the evaluation process shortly after shipping, and Win2K has now begun its journey through the process. NT 3.51 was the first version of NT to hold a C2 rating, which the NSA granted in 1995. For more information about Microsoft’s OS security features, go to the Microsoft Security Advisor Site. For more information about the C2 certification, see C2 Evaluation. For more information about the FIPS 140-1 certification, see FIPS 140-1 Evaluation.